On Wednesday, the Global Privacy Enforcement Network (“GPEN”) published its findings from its 2017 “Sweep”. The GPEN is an informal international network of data protection agencies from around the globe, including the Irish Data Protection Commissioner (the “DPC”), which aims to facilitate and encourage co-operation between national data protection agencies on a global level.
As part of this investigation, 24 separate data protection agencies examined a total of 455 websites and applications across a broad spectrum of sectors. The purpose of this investigation was to examine “privacy communications and practices in relation to user controls over personal information” (essentially, online privacy notices and other types of communications with users on matters of data protection and privacy) to determine how clear it was, from a user’s perspective, what data was being collected, the purpose of the collection of the data and how this data was being processed, used and shared. The contribution of the DPC to this investigation focused on the use of e-receipts (i.e. seeking customer email addresses to provide receipts for online purchases) and on travel organisations as a specific sector.
Online privacy notices will be familiar to anyone using online services; they are a public and obvious declaration of how the organisation applies data protection principles to user data gathered and processed on its website across the various elements/stages of the website itself. The need for these notices in Ireland derives from various pieces of legislation, including falling under the principle of “fair processing” of personal data.
The investigation found that, generally, privacy communications tended to be quite vague and generic. Most organisations failed to inform users what would happen to their information once it had been provided, failed to specify with whom data would be shared, failed to refer to the security of the data, did not say where data was stored (i.e. which country), and failed to outline how users could access their personal data. The report concluded that “users need to be better informed in relation to how they can access or remove the information they provide online, whether the information will be shared and with whom, and whether the information they provide will be stored in a sufficiently secure manner”.
The shortcomings identified by this investigation will become even more significant following the introduction of the GDPR on 25 May 2018. The GDPR will place greater obligations on data controllers and data processors at all stages of data’s life cycle, including the basis for data collection, transparency, provision of information to data subjects and the rights of data subjects with respect to their personal data.
From an Irish perspective, following its particular role in this investigation the DPC is to publish guidance on the use of e-receipts and will initiate a specific audit of travel organisations to raise awareness of obligations under current data protection legislation and also under the GDPR.
Organisations with an online presence need to ensure that communications with their users with respect to privacy meet current data protection laws and should review them further to bring them in line with the impending GDPR.